Data Retention

Various Member States, Italy in primis, will have to revise their legislation about conditions and duration of obligations upon ISPs and telecoms to keep record of Internet traffic and telephony conversations. The telecom industry will seek opportunities to diminish such obligations, which normally require huge capex investments in data retention equipments and exhausting communications with public prosecutors. Finally, civil rights organizations will attack in courts existing data retention legislations on the assumption that they are in contrast with the European jurisprudence. All this will happen in a scenario where national governments tend, in contrast with the above, to reinforce internal surveillance for antiterrorism- reasons, rather than relaxing the public security regime.

The above are the main effects of today’s CJEU ruling on a joint-case concerning the legitimacy of data retention laws in EU Member States.

This court decision follows the previous 2014 ruling about the annulment of the European Data Retention Directive. In that case, the CJEU just pointed out the relation between fundamental rights, data protection and retention of personal data by ISP and telecom operators, with the final result that the directive was annulled. The same principles are now applied directly in the context of national legislations on data retention, without major changes.

To tell the true, following the 2014 ruling most of European countries started a review of respective legislations in the matter of data retention, however with the prevailing result to keep alive the existing legislations (save for some minor adaptations). In some countries, however, the local constitutional courts rendered rulings annulling their data retention legislation. Few countries remained completely inactive, amongst them Italy. Today’s ruling will make even more difficult this wait and see strategy.

The main conclusions of todays’ ruling are:

· Member States may not impose a general obligation to retain data on providers of electronic communication services

· Data retention is admissible under EU law only in instances where it is targeted, limited to what is strictly necessary, and subject to conditions (e.g. prior review by an independent authority, localization of data, etc).

The reasoning of the CJEU is streamlined hereinbelow:

· EU law precludes national legislation prescribing general and indiscriminate retention of data.
· Data retention constitute a serious interference with citizens fundamental rights and as such can only be utilised in the fight against serious crime.
· Legislation prescribing a general and indiscriminate retention of data does not require there to be any relationship between the data which must be retained and a threat to public security.
· Such national legislation therefore exceeds the limits of what is strictly necessary and cannot be considered to be justified within a democratic society, as required by the directive, read in the light of the Charter.
· The EU acquis does not however preclude national data retention laws, provided that the retention of data is: (i) Limited to what is strictly necessary (in terms of categories of data retained, persons targeted, retention period, etc); (ii) Defined in clear and precise national legislation; (iii) Constrained by meaningful procedural safeguards; (iv) Based on objective evidence.
· Concerning access to data, Member States must introduce objective criteria in order to define the circumstances and conditions under which the competent national authorities are to be granted access to the data.
· It is essential that access to retained data should, except in cases of urgency, be subject to prior review carried out by a court or an independent authority.
· National data retention legislation must make provision for that data to be retained within the EU owing to its sensitivity.

The Advocate General Saugmandsgaard Øe of the Court of Justice of the European Union has delivered an opinion whereby it suggests that national Member States may enact general obligation on ISPs to retain personal data, provided that that that obligation be circumscribed by strict safeguards and that the scope of the legislation is to fight serious crimes (not whatever). The opinion has been rendered in cases regarding the compatibility with EU law of data retention legislation in Sweden and UK (Joined Cases C-203/15 Tele2 Sverige AB v Post-och telestyrelsen and C-698/15 Secretary of State for Home Department v Tom Watson and Others).

The Advocate General’s intent seems to be a re-working of the famous decision of 2014 by which the European Court annulled the EU data retention Directive (directive 2006/24) on the grounds, inter alia, that it laid down a too general and far-reaching retention obligation contrary to human rights. Because of that decision, in Europe various national legislations on data retention have become potentially incompatibile with EU law, and in fact many of them have been revised or annulled.

With the present opinion the Advocate General seems to fix the issue that, even if the scope of a data retention legislation must be circumscribed to serious crimes, the obligation can be nevertheless drafted in a general way. Fact is, while storing and retaing personal data, ISPs cannot know – ex ante – whether such data refer to serious crimes or other less relevant criminal facts. Therefore, they can be obliged to retain all kind of data they process, however the access to them for criminal investigation shall be restriceted and subject to special guarantees.

If confirmed by the European Court, the reasoning of the present opinion can likely become the basis for a new directive on data retention.

UPDATE: On June 11, 2015 the Belgian Constitutional Court declared invalid Belgian data retention law. The decision is here, more infos to follow

On March 11, 2015 a Dutch court declared the national data retention legislation to be invalid. The decision is a foreseeable effect of the previous sentence of the Court of Justice of the European Union which on April 8, 2014 annulled the European Directive on data retention (Directive 2006/24/EC).

Following the annulment by the EU jurisdiction, European Member States are hardly starting to face the consequences of that. In facts, the European judgement did not make national data retention legislations (whether or not enacted as implementation of the annulled directive) automatically invalid. However, because of the principles laid down by the European court, most of such national legislations are at risks, because they impose data retention obligations in a too general and far-reaching way. According to the European Court, data retention obligation are compatible with EU law, namely with fundamental rights and privacy, as far as they are sufficiently selective and proportionated.

In the case of Netherlands, the government made a review of the national data retention legislation and concluded that no major modifications were needed and that in any case such legislation was necessary “for the investigation and prosecution of serious criminal offenses”. Only a few adjustments were made, which mainly tightened who had access to what data and under what circumstances. However, such adjustments have been just proposed and consulted, but have not yet entered into force. The current judgment therefore only related to the “original” law.

Remarkably, unlike the European Court, the Dutch judge did not declare the massive collection of data as such illegal. It seems that, according to the Dutch court, a limitation on the data that need to be retained would not make sense, given the purpose of the legislation, which is to fight and prevent serious crimes (§3.8. of the ruling). The court mainly focused on the safeguards around such as: where and how the data are stored? who and how can access the data for what kind of crimes (i.ee not only serious crimes)? here a Google translation of the relevant paragraph:

“In that respect it is noted that a limitation of the data to be saved to the data of suspected citizens is not conceivable in view of the purpose of the Wbt, i.e. the effective detection of serious crime. In case of a first offender it is not possible to distinguish in advance between suspicious and non-suspicious citizens. The need for providing assurances and guarantees regarding access to these data, however, is all the greater because it is a very large interference, so that should be put to that high standard.”

Also other European governments, for instance Denmark, UK and Sweden, reviewed their national legislations to be in line with the European judgment. To have a full picture see my previous post.

While the details of the case at stake still needs to be analyzed, it is clear that some European governments have underestimated the consequence of the annulment of the European directive. On the basis of this precedent, any individual can challenge national data retention rules on the basis that they do not comply with the criteria laid down by the European court. Whether or not such a legislation was enacted as implementation of the annulled directive, it is irrelevant.

Other important European governments, such as Italy for instance, are silent on the matter and they risk that related data retention legislation to be entirely declared invalid by a court, with major consequence on their entire investigation activities.

Following the annulment of the Data Retention Directive in April 8, 2014, by the Court of Justice of the European Union, European Member States are hardly starting to face the consequences of that.

As stated in my previous post on the matter, the European decision did not make national data retention legislations (whether or not enacted as implementation of the annulled directive) automatically invalid. However, because of the principles laid down by the European court, most of such national legislations are at risks, because they impose data retention obligations in a too general and far-reaching way. This conclusion is shared also by a study commissioned by the Greens Group at the European Parliament which can be found here.

In fact, in §59 of the sentence the European judges stated that “blanket” data retention legislations are not allowed, they must be selective and focussed:

“Moreover, whilst seeking to contribute to the fight against serious crime, Directive 2006/24 does not require any relationship between the data whose retention is provided for and a threat to public security and, in particular, it is not restricted to a retention in relation (i) to data pertaining to a particular time period and/or a particular geographical zone and/or to a circle of particular persons likely to be involved, in one way or another, in a serious crime, or (ii) to persons who could, for other reasons, contribute, by the retention of their data, to the prevention, detection or prosecution of serious offences.”

For long time Member States have hesitated in taking actions, also because of the lack of guidance from the European Commission, which is sharing its part of responsibility for this messy situation. Denmark was one of the first country in making a legal analysis whether the European decision could somehow affect their data retention legislation, but then they concluded that there was no reason to act.

In June, at a recent closed meeting of EU Justice and Home Affairs ministers, the Council’s Legal Services is reported to have stated that paragraph 59 of the European Court of Justice’s ruling on the Data Retention Directive “suggests that general and blanket data retention is no longer possible“. Therefore, should Member states not take actions, the matter will be likely submitted by individuals to a national courts, which will take the decision instead of the government, as it did just happen in Austria. In other words, today’s judgement of the Austrian Constitutional court is a clear reminder to most European member States that postponing a decision on this matter is not a good strategy. Italy is one the country mostly at risk, because their national legislation is just a copy & paste of the annulled directive.

Finally, breaking news of April 27, 2015: in an answer to a parliamentary question Dimitris Avramopoulos, Commissioner for Migration, Home Affairs and Citizenship confirmed that instead of presenting a new legislative initiative on Data Retention, the Commission intends to launch a public consultation on the matter with relevant stakeholders.

***

Here a list of countries which are definitively deleting DR rules (in addition to Ireland, which caused the case in front of the European Court):

Austria

On June 27, 2014 the Austrian Constitutional Court has declared invalid most parts of the Austrian law on data retention. This is the first national decision taken after the important sentence of the European Court of Justice which, on April 8, 2014 annulled the European Directive on data retention (Directive 2006/24/EC).

Austrian ISPs have to stop retaining and providing information to the Austrian authorities about data retained under the data retention regime by the end of the day following the publication of the decision. ISPs will however still be allowed to retain traffic data for their own legitimate purposes (billing, fraud prevention etc.) for a certain amount of time. Such data could still be accessible by public authorities for public securities reasons.

A source of Austrian ISP industry declared “very positive” from an ISP-angle is that the system implemented for the exchange of information with law enforcement agencies (so called “Durchlaufstelle” / “DLS”) will remain in place and will be used for the exchange of information about traffic data ISPs are still allowed to retain.

Belgium

On June 11, 2015 the Belgian Constitutional Court declared invalid Belgian data retention law. The decision is here, more infos to follow.

Bulgaria

The Bulgarian data retention law was declared incompatible with the national constitution on March 12, 2015. No further details are available at the time.

Germany

On 2 March 2010 (so, even before the European annulment judgement), the Federal Constitutional Court ruled the German data retention law unconstitutional as a violation of the guarantee of the secrecy of correspondence. As such, the directive is not currently implemented in Germany. However, we learned that the German government is trying to reintroduce a law on data retention. On April 15, 2015, the minister for Justice and Consumer Protection, Heiko Maas, and the Minister of Internal Affairs, Thomas de Maiziere, presented a document with a few guidelines: http://www.bmjv.de/SharedDocs/Downloads/DE/pdfs/20150415-Leitlinien-HSF.pdf?__blob=publicationFile. The German association Eco rose doubts about adequacy and consistency of the proposal with the principles laid down by the European court. Few weeks later, the German constitutional court issued a statement raising doubts about the proposed measure.

Romania

the Romanian data retention law was declared unconstitutional by the Constitutional Court on July 8, 2014. The ruling applies to all provisions of the law. The argumentation of the judgement is expected to be published at the beginning of August.

According to the court, the data retention law is suspended for 45 days and operators no longer have to retain data. If the government and parliament do not resolve the constitutional issues within 45 days, then the law will be annulled permanently.

Slovakia

On 23 April 2014, the Slovak Constitutional Court preliminary suspended effectiveness of the Slovak implementation of Data Retention Directive. Although the case is already pending for before the Court since October 2012, the Court decided to issue this preliminary measure and accept the case for the further review only now. The preliminary suspension of effectiveness means that the Slovakian retention laws are still formally valid, but have no legal effect until the Court decides on the merits of the compliant. The Court, however, suspended only provisions that are mandating data retention itself, while leaving provisions on access to those information intact for now. This means that ISPs will soon lose any legal obligation to store data about users. Any storage of personal data of users will thus need to be limited to general privacy regime.

In nuts, the Slovenian Court found the local data retention legislation to be disproportionate for the following reasons:
– massive and un-selective retention of data constitutes a breach of rights of a large proportion of population, while no grounded justification was provided for that;

– no justifications and grounds were provided for the selected retention periods (8 months for internet related and 14 months for telephony related data);

– the use of retained data was not limited to serious crime.

…. and here the countries that, by contrast, are confirming DR national rules (although with some accidents, such as in the Netherlands).

Danemark

In Danemark, the Parliament commissioned a study on the lawfulness of the local data retention legislation and reached the conclusion that it fully comply with the minimum proportionality requirements set out in the CJEU ruling.

Italy

While hesitating and ignoring the problem for longtime, Italy suddenly adopted a new legislation which reinforced the data retention obligations, irrespective and despite of the annulment decision of the CJEU. By virtue of art. 4-bis, comma 1, of Legislative Decree n. 7 of February 18, 2015 (confirmed by law n. 43 of April 17, 2015), the Italian authorities decided that the retention of personal data (currently 24 months for calls and 12 months for Internet communications) should be extended up to December 2016 for certain categories of crimes (terrorism, mafia ecc).

Sweden

In Sweden the situation is more controversial. Just after the annulment of the DR directive, various Swedish ISPs declared their intentions to stop retaining data. PTS, the Swedish regulator, had initially announced that it would stop the enforcement of the data retention law – at least until the situation is clarified. The government ordered a a study to be carried out and, on June 12, 2014 an expert group appointed by the Ministry of Justice concluded that the Swedish legislation on data retention is lawful by maintaining that, unlike the repealed directive, such provisions contain clear rules on the conditions for providing access to retained data. As a consequence of this intervention, most of the Swedish operators resumed data retention, while some of them resist, amongst them the ISP Bahnhof which has been threatened by PTS for this reason.

The Netherlands

In November 2014 the Dutch government proposed some minor adjustments to the national data retention legislation which did not came into force yet. In the meanwhile, a judge from The Hague declared the original law to be invalid and suspended the application, here a comment about.

UK

On July 17, a new data retention law came into force in UK, the Data Retention and Investigation Powers Act 2014 (DRIPA). The new legislation substantively re-enacts the mandatory data retention provisions of the UK 2009 Data Retention Regulations, which was based on the provision of the annulled European Directive. The rules will continue to empower the Secretary of State to give data retention notices to public telecommunications operators ). However, instead of the previous fixed 12 month period of retention, the current retention period may vary subject to a maximum 12 months. The notice may specify different periods for different types of data. The notice may relate to an operator or description of operators. Complaints against the new regime has been already announced.

Today the European Court of Justice has declared invalid the European data retention directive (Directive 2006/24/EC), i.e. the entire set of rules obliging in Europe ISPs and telcos to retain data and information about citizens using electronic communications networks.

The Court has recognised that retention of personal data for purpose of investigations is per se compatible with the European framework, although it may potentially interfere with basic fundamental rights such as privacy. However, the Court also found that the set of obligation laid down by current directive is disproportionate and contrary to some fundamental rights protected by the Charter of Fundamental Rights, in particular to the principle of privacy, because “the wide ranging and particularly serious interference of the directive with the fundamental rights at issue is not sufficiently circumscribed to ensure that that interference is actually limited to what is strictly necessary” (NB: since the entry into force of the Lisbon Treaty in December 2009, the Charter of Fundamental Rights has the same value as the EU treaties, thereby forming part of the EU primary law). In particular, the Court challenges the following:

– the directive covers, in a generalised manner, all individuals, all means of electronic communication and all traffic data without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime;

– the directive fails to circumscribe, from both procedural and substantial point of view, the notion of “serious crime” and opens risks to potential abuses in the Member States;

– also the data retention period (from 6 to 24 months) is too generic and should be adapted to the specific objectives (crimes to be fought) to be pursued.

Interestingly, the question is what will happen with the current national legislations which have been enacted as transposiiton of the invalid directive.

Although one could think that also these legislations have become invalid, this is not an automatic effect from the annulment judgment. My comments hereinbelow.

– The effects of invalidity ruling of a EC directive over the implementing national provisions

Neither the EC Treaties nor the precedent of the European court give clear guidance to this purpose.

According to art. 249 of the Treaty: “A directive shall be binding, as to the result to be achieved, upon each Member State to which it is addressed, but shall leave to the national authorities the choice of form and methods”.

This means that, in case of the annulment of a directive, it is up to the Member State to evaluate how to proceed. For the time being, we can see 2 main scenarios:

– in case of national provisions transposing EC rules declared void because they conflict with other prevailing EC rules (preeminence of privacy, for instance, as in the present case), the Member State has very little discretion. The national provisions must be abrogated quickly: if not, apart from a potential risk of infringement procedure by the European Commission, national courts and administrations shall dis-apply them immediately from now. In other words, following a well-established jurisprudence, such national provision remain formally in force but without effects vis-à-vis individuals;

– to the opposite, if a directive is annulled because of a procedural reason, or if some of their provisions are not incompatible with the EU ruling, then Member States could make the necessary adjustments and maintain the national legislation in force. It will be a case-by-case evaluation, which may be complicated in practical circumstances. Fact is, some valid provisions can make sense only with other provisions which, however, have been maybe declared incompatible with EU law.

– The consequences for Member States

Thus, in the present data retention case, Member States seem to have the alternative between:

1. abrogating the entire national data retention legislation; or:

2. modify that legislation in order to meet the “proportionality concern” of the European Court.

If a Member State does not act quickly, it will be potentially subject to an infringement procedure by the European Commission. This will be quite paradoxical, because the Commission imposed fines on Member States for not complying with the directive. Some countries refused to implement the directive because of internal constitutional reasons (Germany, Romania, Czech, and in part also Cyprus and Bulgaria). For the European Commission is an embarrassing situation.

– The consequences for the operators

In the meanwhile, if an operator claims that the national data retention cannot applied against it, it has an interesting case to defend. As stated above, the national data retention provisions have not been abrogated by the European Court, however they have become ineffective as far as they do not pass the “proportionality test” indicated in the judgement. In my opinion, most of the national data retention legislation enacted in Europe after the 2006 directive do not pass that test. As a consequence, these data retention obligations are still in force but not effective anymore. What will happen in practice? While the central government will wait time before taking a decision, at local level law enforcement and public prosecution services might still order the retention of data under the cybercrime convention regulation and defend their point until a court declare that such provisions are not applicable any longer. As a result, if ISPs refuse to enforce the (ineffective but non abrogated) data retention local legislation they might be fined and required to challenge in court the punishment.

On the other side, the same operators are in a messy situation, because individuals could argue that the retention of their personals data on the operators’ servers is now illegal. One should remind that until the 2006 data retention directive came into force, retaining data was a voluntary or administrative practice aimed at some limited scopes like billing. However, with the annulment of the data retention directive such practice may be seen as an infringement of European privacy rules, that would amount to a criminal liability in some countries. In order to avoid such risks, operators could better decide to delete all the traffic data currently recorded on their servers.

– Next steps (UPDATE 11 APRIL 2014)

On Friday 11, 2014 a meeting between Commission, privacy authority and stakeholders took place in Brussels in order to discuss the consequences of the judgement. In the reality, the meeting had been scheduled since time in order to monitor the implementation of the data retention directive, however following the judicial annulment of the same the agenda was adapted accordingly. As far as I know, the European Commission informally declared the following:

1. the national legislations are still valid despite the annulment judgement. MY COMMENT: this is debatable, because most of the national legislation have implemented the annulled directive without changes and modifications; a legal mess is now emerging because individuals may challenge the retention of data by ISP and use of that by public authorities;

2. The European Commission will not adopt guidelines in relation to the consequence of the annulment. MY COMMENT: this is disappointing. The Commission created a problem (and costs for the ISPs) and now they do not see the reason for intervening to limit damages.

Most probably, it will up to the national data protection authorities to intervene in order to provide some certainty, if possible.

In the meanwhile, some Swedish operators have announced that they will stop the data retention activity following the annulment of the directive,

– Reactions

Commissioner Malstrom, competent for Hoime affairs, has declared the following: “The judgment of the Court brings clarity and confirms the critical conclusions in terms of proportionality of the Commission’s evaluation report of 2011 on the implementation of the data retention directive. The European Commission will now carefully asses the verdict and its impacts. The Commission will take its work forward in light of progress made in relation to the revision of the e-Privacy directive and taking into account the negotiations on the data protection framework“.

Also the President of the European Parliament, Schulz, intervened with a statement urging the Commission for a new proposal: “Today’s judgment must be carefully examined and the Commission will have to make a proposal which strikes the right balance between the legitimate interests at stake. Any new proposal must respect in every detail the guarantees laid down in the Charter of Fundamental Rights. It should in particular enshrine a high level of data protection – which is all the more essential in the digital age – thus avoiding disproportionate interferences with the private lives of citizens. It is only by upholding the highest standards at home on such issues that we can project our common values to the outside world.”

EDPS, the European Data Protection Authority, stressed that new directive should this time be complying with privacy rules:

“The EDPS welcomes the ruling of the Court of Justice of the EU in Digital Rights Ireland and Seitlinger and Others (Joined cases C-293/12, C-594/12) on the invalidity of the Data Retention Directive (Directive 2006/24/EC). It follows the input given by the EDPS in these proceedings.We consider this a landmark judgment that limits the blanket government surveillance of communications data (telephone, texts, email, internet connections etc.) permitted under the Directive. It highlights the value placed on the protection of fundamental rights at the core of EU policy in this critical area.We are particularly satisfied that the Court has underlined that the Data Retention Directive constitutes a serious and unjustified interference with the fundamental right to privacy enshrined in Article 7 of the EU Charter of Fundamental Rights. When an act imposes obligations which constitute such interference, the EU legislature should provide for the necessary guarantees rather than leaving this responsibility to the member states.We are pleased that the Court has ruled that the retention of communications data should have been duly specified and the EU legislator should also have ensured that such data can only be used in very specific contexts.The retention of communications data for the purposes of the combat of crime should always be precisely defined and clearly limited. The EU cannot leave the full responsibility for the use of the data with the member states.Among other things, the concept of serious crimes should have been more precisely described in the Directive and at the very least, basic principles governing access to and the use of the retained data should have been set out.We anticipate that the Commission, taking into account the Court’s judgment, will now reflect on the need for a new Directive, which will also prevent member states from keeping or imposing the same legal obligations nationally as laid out in the now invalid Data Retention Directive. The judgment also means that the EU should take a firm position in discussions with third countries, particularly the U.S.A. on the access and use of communications data of EU residents“.